[Openstack] the definistion of X-aaS in neutron

Salvatore Orlando sorlando at nicira.com
Mon Nov 25 19:02:06 UTC 2013


Hi Lorin,
I think yours is a very good question; I am afraid I am not able to provide
a straight answer regarding in which cases one service should be preferred
to the other.

Technically the difference would be that a firewall rule is enforced only
at the edge of your network, and is therefore not enforced for intra-tenant
and inter-tenant traffic, whereas a security group rule is enforced on
every port where the security group applies.

As an example, one could use a security group to allow traffic on ports 80
and 443 on all instances regardless of the source security group, and a
firewall rule to block access to port 80 from external sources. The result
would be that HTTP would be open for 'internal' traffic whereas only HTTPS
would be available for externally-generated traffic.
It is completely true that the same could be achieved with security groups
only, but in this way one would not pay the performance penalty of having
to evaluate the HTTP rule for internal traffic.
It might be argued that a tenant should not really have to be aware of the
network topology and the burden of choosing where the rule should be
enforced should be up to underlying implementation; this is definitely an
argument worth discussing.

Moreover, another technical difference is that security group rules express
what traffic is allowed, assuming that the baseline is deny all; whereas
firewall rules can express both allow or deny action.

Regards,
Salvatore


On 25 November 2013 19:38, Lorin Hochstein <lorin at nimbisservices.com> wrote:

>
> On Mon, Nov 25, 2013 at 10:43 AM, Remo Mattei <Remo at mattei.org> wrote:
>
>> the FWaaS is different than Security Groups. It acts on the router port
>> whereas Security Groups handles the provider network layer.
>>
>>
>>
> What's the difference from the point of view of the end-user? In
> particular, when should they use security groups and when should they use
> FWaaS? And when there's overlapping functionality, how should they decide
> which one to use?
>
>
> Lorin
>
>
>
>
>
>>  --
>> Remo Mattei
>>
>>
>> November 25, 2013 at 7:42:57, Liu Wenmao (marvelliu at gmail.com<//marvelliu at gmail.com>)
>> ha scritto:
>>
>>   Hi all:
>>
>> I notice that there are two security ACL approaches in neutron: security
>> group and FWaaS, both have standard CUPD operations.  why is FWaaS
>> *service*, bug security group is not?
>>
>> I wonder what the definition a service is. thanks
>>
>> Liu Wenmao
>> !DSPAM:2,52935d1a296201044898170!
>> _______________________________________________
>> Mailing list:
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to : openstack at lists.openstack.org
>> Unsubscribe :
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>>
>> !DSPAM:2,52935d1a296201044898170!
>>
>>
>> _______________________________________________
>> Mailing list:
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to     : openstack at lists.openstack.org
>> Unsubscribe :
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>>
>
>
> --
> Lorin Hochstein
> Lead Architect - Cloud Services
> Nimbis Services, Inc.
> www.nimbisservices.com
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131125/9ee6d13c/attachment.html>


More information about the Openstack mailing list